Signatures

Last updated 1 year ago

Signatures

Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key $sk$ , and the public key is the spending public key $\text{PK}$ .

Spelled out, signing takes as input a message hash $m$ and proceeds as follows:

$h \leftarrow \text{SHA512}(sk)$
$s \leftarrow h[0:32]$ (derive the signing secret key from the spending key)
$x \leftarrow h[32:64]$ (extract 32 bytes of entropy from the spending key)
$v \leftarrow \text{randomBytes}(32)$ (sample another 32 random bytes)
$n \leftarrow \text{SHA512}(x\ ||\ v\ ||\ m) \mod r \in \mathbb{F_r}$ ("reduce" hash output into $\mathbb{F}_r$ , using extra entropy from $sk$ addition to the rng)
$R \leftarrow n \times G$ (the rest is a "standard" Schnorr signature)
$c \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$
$z \leftarrow n - \text{sk} \cdot c$
The signature is the pair $(c, z)$

To verify, we take as input the message $m$ and signature $(c, z)$ and do the following (this is the standard verification procedure):

$Z \leftarrow z \times G$
$P \leftarrow c \times \text{PK}$
$R \leftarrow Z + P$
$cp \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$
Accept the signature if $cp = c$ . Reject it otherwise.

Security Requirements

The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).

Security Argument

Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:

Poseidon is a random oracle
The discrete log problem is infeasible in Baby Jubjub

PreviousStealth Addresses NextEncodings

Last updated 1 year ago

Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key $sk$ , and the public key is the spending public key $\text{PK}$ .

Spelled out, signing takes as input a message hash $m$ and proceeds as follows:

$h \leftarrow \text{SHA512}(sk)$
$s \leftarrow h[0:32]$ (derive the signing secret key from the spending key)
$x \leftarrow h[32:64]$ (extract 32 bytes of entropy from the spending key)
$v \leftarrow \text{randomBytes}(32)$ (sample another 32 random bytes)
$n \leftarrow \text{SHA512}(x\ ||\ v\ ||\ m) \mod r \in \mathbb{F_r}$ ("reduce" hash output into $\mathbb{F}_r$ , using extra entropy from $sk$ addition to the rng)
$R \leftarrow n \times G$ (the rest is a "standard" Schnorr signature)
$c \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$
$z \leftarrow n - \text{sk} \cdot c$
The signature is the pair $(c, z)$

To verify, we take as input the message $m$ and signature $(c, z)$ and do the following (this is the standard verification procedure):

$Z \leftarrow z \times G$
$P \leftarrow c \times \text{PK}$
$R \leftarrow Z + P$
$cp \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)$
Accept the signature if $cp = c$ . Reject it otherwise.

Security Requirements

The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).

Security Argument

Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:

Poseidon is a random oracle
The discrete log problem is infeasible in Baby Jubjub